b'                                     Executive Summary\n\n                                     Independent Evaluation of the FDIC\xe2\x80\x99s\n                                     Information Security Program\xe2\x80\x942013\n                                                                                      Report No. AUD-14-002\n                                                                                             November 2013\n\nWhy We Did The Audit\nThe Federal Information Security Management Act of 2002 (FISMA) requires federal agencies, including\nthe FDIC, to perform annual independent evaluations of their information security programs and practices\nand to report the evaluation results to the Office of Management and Budget (OMB). FISMA states that\nthe independent evaluations are to be performed by the agency Inspector General (IG), or an independent\nexternal auditor as determined by the IG.\n\nThe objective of this performance audit was to evaluate the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program and practices, including the FDIC\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines.\n\nBackground\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding the sensitive information, including personally identifiable information\nthat the FDIC collects and manages in its role as federal deposit insurer and regulator of state nonmember\nfinancial institutions. As an employer, an acquirer of services, and a receiver for failed institutions, the\nFDIC also obtains considerable amounts of sensitive information from its employees, contractors, and\nfailed institutions. Implementing proper controls over this information in an environment of increasingly\nsophisticated security risks and global connectivity underscores the importance of a strong, enterprise-\nwide information security program.\n\nFISMA requires federal agencies, including the FDIC, to develop, document, and implement agency-wide\ninformation security programs to provide security for their information and information systems and to\nsupport the operations and assets of the agencies, including information and information systems that are\nprovided or managed by another agency, contractor, or other source. FISMA directs the National Institute\nof Standards and Technology (NIST) to develop risk-based standards and guidelines to assist agencies in\ndefining security requirements for their information systems. In addition, OMB issues information\nsecurity policies and guidelines for federal information resources pursuant to various statutory authorities.\nFurther, the Department of Homeland Security (DHS) exercises primary responsibility within the\nExecutive Branch for the operational aspects of federal agency cyber security with respect to the federal\ninformation systems that fall within the scope of FISMA. DHS\xe2\x80\x99s responsibilities include overseeing\nagency compliance with FISMA and formulating analyses for OMB\xe2\x80\x99s use in the development of its\nannual FISMA report to the Congress.\n\nTo address our objective, we performed audit procedures to evaluate the 11 security control areas outlined\nin DHS\xe2\x80\x99 November 30, 2012 document entitled, FY 2013 Inspector General Federal Information Security\nManagement Act Reporting Metrics. We evaluated the effectiveness of security controls in these areas by\ndesigning audit procedures to assess consistency between the FDIC\xe2\x80\x99s security controls and FISMA\nrequirements, OMB policy and guidelines, and applicable NIST standards and guidelines. Our work\nincluded testing of selected servers and desktops and a review of the FDIC\xe2\x80\x99s oversight of an outsourced\ninformation service provided by Innovative Discovery.\n\n\n\n\n                                                      i\n\x0c  Executive Summary                 Independent Evaluation of the FDIC\xe2\x80\x99s Information\n                                    Security Program\xe2\x80\x942013\n                                                                                    Report No. AUD-14-002\n                                                                                           November 2013\n\n\nAudit Results\nWe concluded that the FDIC had established and maintained many information security program controls\nand practices that were generally consistent with FISMA requirements, OMB policy and guidelines, and\napplicable NIST standards and guidelines. Notably, the FDIC had established security policies and\nprocedures in almost all of the security control areas we evaluated. The FDIC was also working to\ndevelop a formal concept-of-operations document that describes a corporate-wide approach to\ninformation security continuous monitoring.\n\nTo address current and emerging risks in the information technology (IT) and information security\nenvironments, the FDIC made significant changes to its security governance structure during 2013. Such\nchanges included the realignment of the roles and responsibilities of the Chief Information Officer (CIO),\nChief Information Security Officer, and Information Security and Privacy Staff. The FDIC also\nestablished an IT/Cyber Security Oversight Group to provide a senior-level forum for addressing cyber\nsecurity threats and developments impacting both the FDIC and the banking industry. Such changes are\npositive and better position the FDIC to address information security risks from a corporate perspective.\nWe plan to more fully assess the implementation of these security governance changes as part of our\nfuture audit and evaluation work.\n\nNotwithstanding these accomplishments, we determined that continued management attention and control\nimprovements are needed to more effectively identify, evaluate, and mitigate risk to the FDIC\xe2\x80\x99s\ninformation systems and data, particularly in the areas of Incident Response and Reporting, Risk\nManagement, Configuration Management, Outsourced Information Systems and Services, and\nContingency Planning. Specifically, the FDIC needed to strengthen its incident response policies and\nprocedures to address sophisticated, cyber-based security incidents and update its corporate information\nsecurity risk management policy to reflect changes in its risk management processes and governance.\nThe FDIC can also take additional steps to help ensure that certain servers and workstations are patched\nto protect against known vulnerabilities. In addition, greater emphasis needs to be placed on assessing\nrisks associated with the FDIC\xe2\x80\x99s outsourced information systems and services where limited progress has\nbeen made in the last year. Finally, further analysis is warranted to ensure that information systems\nsupporting mission essential functions can be recovered within the timeframes needed to support those\nfunctions.\n\nRecommendations and Corporation Comments\nOur report contains 15 recommendations intended to improve the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program controls and practices. In many cases, the FDIC was already working to strengthen\nsecurity controls in these areas during our audit. We identified certain other matters that we did not\nconsider significant in the context of the audit objective, and we communicated those separately to\nappropriate FDIC management officials.\n\nOn November 19, 2013, the Acting CIO and the Director, Division of Administration, provided a written\nresponse to a draft of this report. In the response, FDIC management concurred with all 15 of the report\xe2\x80\x99s\nrecommendations and described ongoing and planned corrective actions that were responsive.\n\n\n\n\n                                                    ii\n\x0c  Executive Summary                 Independent Evaluation of the FDIC\xe2\x80\x99s Information\n                                    Security Program\xe2\x80\x942013\n                                                                                    Report No. AUD-14-002\n                                                                                           November 2013\n\nBecause this report contains sensitive information, we do not intend to make the report available to the\npublic in its entirety. We will, however, post this Executive Summary on our public Web site.\n\nReliability of Previously-Issued FISMA Audit Reports\n\nIn a memorandum entitled, Planned Actions to Address New Information Associated with Previously\nIssued Audit Reports on the FDIC\xe2\x80\x99s Information Security Program, dated May 30, 2013, the IG notified\nthe FDIC Chairman that the OIG had become aware of new information related to the FDIC\xe2\x80\x99s information\nsecurity program that could affect the reliability of certain findings and conclusions in our prior audit\nreports, entitled Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942011 (Report No.\nAUD-12-002, dated October 31, 2011) and Independent Evaluation of the FDIC\xe2\x80\x99s Information Security\nProgram\xe2\x80\x942012 (Report No. AUD-13-003, dated November 5, 2012). These reports were not made\navailable to the public due to the sensitive nature of the information they contained. Only the reports\xe2\x80\x99\nExecutive Summaries, which did not contain sensitive information, were posted on the OIG\xe2\x80\x99s public Web\nsite.\n\nConsistent with Government Auditing Standards, we provided notice on our public Web site and to users\nof the referenced FISMA reports that the associated findings and conclusions may not be reliable. As part\nof this year\xe2\x80\x99s audit, we performed expanded audit procedures to assess the impact of the new information\non the findings and conclusions in the earlier reports. Based on those procedures, we determined that the\nfindings and conclusions related to Incident Response and Reporting and Risk Management in both\nreports were not reliable, but that the reports\xe2\x80\x99 other findings and conclusions were reliable and the\nassociated recommendations were valid. The results of our expanded audit procedures are described in\nour current year FISMA report. We plan to post a new notice on our public Web site that accompanies\nthe Executive Summaries and clarifies the findings and conclusions therein for the two prior-year reports.\n\n\n\n\n                                                    iii\n\x0c'